1st October 2005 - One of the more interesting aspects of virus outbreaks is the way some viruses bounce back. Frequently, older viruses that emerged ages ago, and which had seemingly disappeared, re-emerge at the top of the charts, forcing antivirus experts to play a guessing game when it comes to determining the reasons for these unexpected revivals. The Virus Top 20 for this September provides the latest example of an unexpected virus comeback.

The all-out offensive of Mytob worms suddenly gave way to relative calm. There are two probable reasons for this.

First of all, in August 2005 a new Microsoft Windows vulnerability, MS05-039, was discovered in the Plug'n'Play service. Virus writers immediately switched gears from email worms to network worms. This affected Kaspersky Lab's Top 20, particularly in terms of email worms.

Secondly, this bias has also attracted the attention of law enforcement agencies, resulting in the arrests of two individuals in Morocco and Turkey accused of creating worms from the Mytob family. Whether they are the actual authors will only be clear when the investigation is complete. However, in September, after the arrests, new Mytob variants continued to emerge in significantly fewer numbers.

Instead, contrary to all expectations, Zafi.d is now in first place. This worm was first identified in October 2004, and topped the Virus Top 20 in December and January. It then gradually fell in the charts, and in August 2005 accounted for a mere 6% of all virus traffic. In September, this Hungarian worm moved up 3 positions and accounted for 11% of all email worm traffic. Moreover, we now have Zafi.b in third place. This may be related to the emergence of Zafi.e; the first new Zafi variant in almost a year. More than likely, Zafi.e will soon become a regular on Kaspersky's virus reports.

Another point of interest in September's Top 20 is NetSky, the most widespread and dangerous worm of last year. This summer, NetSky waged an unremitting war on Mytob worms for a share of mail traffic. NetSky variants seem to be losing the war. Last year's leader, NetSky.q is now in 8th place, demonstrating that the Virus Top 20 is coming to a turning point and, in spite of the 5th place achieved by another member of the NetSky family -- the NetSky.b variant -- it seems that this family will be pushed out of the top 10 in the near future.

LovGate.w continues to surprise. In 2004, it consistently appeared in the top 10. In 2005, it fell to 15th place in July and we expected it to disappear altogether. However, this was not to be. In August, it rose to 8th place, and in September to 4th. Surprisingly, another LovGate variant has made it to the Top 20 - LovGate.ae has unexpectedly shown up in the group of returnees.

The Mytob's are rotating. Nearly all of the variants that made the top 20 in the past couple of months have increased their propagation rates. Additionally, nearly all variants that appeared in the top 20 at the beginning of this summer or in spring, are falling. Only the position of Mytob.c remains relatively unchanged, and Mytob.q is steadily gaining ground as it nears the top. Overall, the Mytob's still dominate the Top 20 with 11 variants - that is, more than half of all positions on the Top 20.

Over 20 new Bagle variants were discovered in September. On some days, as many as 5 or 6 new variants appeared within the space of a couple of hours, thus keeping antivirus companies busy. It would seem that such activity and the previous success of this family of worms should be reflected on the September charts, although this did not happen. It is hard to tell why - whether it was the quick response of antivirus companies which halted the outbreak, the thoughtfulness of users who did not execute worm files sent to them or errors in the worm's code resulting in its inability to work on some systems. In all probability, a combination of all these factors was responsible. However, diligence is still needed, as the authors of Bagle organize such outbreaks on a regular basis.

The number of other malicious programs in email traffic has dropped for the first time this year -- an interesting development that we will be watching carefully in the future.

About Kaspersky Lab
Kaspersky Lab develops, produces and distributes information security solutions that protect customers from IT threats and allow enterprises to manage risk. Kaspersky Lab's products protect electronic information from viruses, spyware, hackers and spam for home users and corporate networks alike. For many years now the company has waged a battle against malicious programs, and in doing so has gained unique knowledge and skills that have led to Kaspersky Lab becoming a technology leader and acknowledged expert in the development of malware defences. Today, Kaspersky's products protect more than 75 million users worldwide and its technology is licensed by leading security vendors including Aladdin, BlackSpider Technologies, BorderWare Technologies, F-Secure, FrontBridge Technologies, Microworld and Sybari.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice